Remote Code Execution
Remote Code Execution represents the critical moment when an attacker successfully runs arbitrary code on a target system without physical access.
How It Works
Remote Code Execution represents the critical moment when an attacker successfully runs arbitrary code on a target system without physical access. Unlike a single vulnerability class, RCE is an outcome—the catastrophic result of exploiting underlying weaknesses in how applications process input, manage memory, or handle executable content.
Attackers typically achieve RCE by chaining vulnerabilities or exploiting a single critical flaw. Common pathways include injecting malicious payloads through deserialization flaws (where untrusted data becomes executable objects), command injection (where user input flows into system commands), buffer overflows (overwriting memory to hijack execution flow), or unsafe file uploads (placing executable code on the server). Server-Side Template Injection and SQL injection can also escalate to code execution when attackers leverage database or template engine features.
The attack flow usually begins with reconnaissance to identify vulnerable endpoints, followed by crafting a payload that exploits the specific weakness, then executing commands to establish persistence or pivot deeper into the network. Modern exploits often use multi-stage payloads—initial lightweight code that downloads and executes more sophisticated tooling.
Impact
- Complete system compromise — attacker gains shell access with application privileges, potentially escalating to root/SYSTEM
- Data exfiltration — unrestricted access to databases, configuration files, credentials, and sensitive business data
- Lateral movement — compromised server becomes a beachhead to attack internal networks and other systems
- Ransomware deployment — direct pathway to encrypt files and disable backups
- Persistence mechanisms — installation of backdoors, web shells, and rootkits for long-term access
- Supply chain attacks — modification of application code or dependencies to compromise downstream users
Real-World Examples
The n8n workflow automation platform (CVE-2024-21858) demonstrated how RCE can emerge in unexpected places-attackers exploited unsafe workflow execution to run arbitrary code on self-hosted instances. The Log4j vulnerability (Log4Shell) showed RCE at massive scale when attackers sent specially crafted JNDI lookup strings that triggered remote class loading in Java applications worldwide.
Atlassian Confluence instances have faced multiple RCE vulnerabilities through OGNL injection flaws, where attackers inject Object-Graph Navigation Language expressions that execute with server privileges. These required no authentication, enabling attackers to compromise thousands of internet-exposed instances within hours of disclosure.
Mitigation
- Input validation and sanitization — strict allowlists for all user-controlled data, especially in execution contexts
- Sandboxing and containerization — isolate application processes with minimal privileges using containers, VMs, or security contexts
- Disable dangerous functions — remove or restrict features like code evaluation, system command execution, and dynamic deserialization
- Network segmentation — limit blast radius by isolating sensitive systems and restricting outbound connections
- Web Application Firewalls — detect and block common RCE patterns in HTTP traffic
- Runtime application self-protection (RASP) — monitor application behavior for execution anomalies
- Regular patching — prioritize updates for components with known RCE vulnerabilities
Recent CVEs (31864)
Hardcoded default administrator password in Pheditor (all versions prior to 2.0.6) lets remote unauthenticated attackers log in as admin using the string 'admin' — the SHA-512 hash of which is baked into pheditor.php line 11 — and then abuse the built-in terminal and file-upload features for immediate remote code execution. Any deployment left on defaults is trivially compromised because there is no forced password change, expiry, lockout, or setup wizard. A working PoC is published in the GitHub Security Advisory, though there is no public exploit identified in active in-the-wild campaigns and no EPSS/KEV data is provided.
Build-time remote code execution in Nuclio (serverless/FaaS platform) versions <= 1.15.27 lets remote attackers run arbitrary OS commands as root inside the function-builder container. The Java runtime renders user-supplied runtimeAttributes.repositories values into a Groovy build.gradle file via Go's text/template using the non-escaping {{ . }} action, so an attacker can inject a closing brace to break out of the repositories {} block and append Groovy that Gradle executes during its configuration phase. Because the Dashboard API defaults to NOP (no) authentication, exploitation needs no credentials; a dynamically-verified proof-of-concept is published in the vendor advisory, though there is no public exploit identified as being used in active attacks.
Remote kernel heap corruption in the illumos SCTP stack lets an unauthenticated attacker send a crafted INIT ACK packet with malformed address parameters to trigger an out-of-bounds access during packet classification, potentially leading to remote code execution or a kernel panic. The flaw affects illumos-gate and downstream distributions (OmniOS, SmartOS/Triton) built before commit 53a3efde, and has existed since 2010 (commit a5407c02). There is no public exploit identified at time of analysis and the CVSS 4.0 exploit-maturity metric is Unreported (E:U), but the attack requires no authentication or user interaction.
Arbitrary file disclosure in Envoy Gateway's controller allows a low-privileged tenant who can create an EnvoyExtensionPolicy to read sensitive files from the gateway controller pod. A path-normalization gap in the security.lua critical-path check (CWE-20) lets attacker-supplied Lua bypass the read restriction using double-slash paths (e.g. //etc/passwd), exposing Kubernetes service-account tokens, TLS certificates, and process environment. No public exploit identified at time of analysis, but the vendor advisory documents the exact bypass and CVSS is rated 9.1.
Path traversal in Activepieces Enterprise Edition git-sync prior to 0.82.0 allows an authenticated project administrator to overwrite arbitrary files on the host filesystem, with potential impact ranging from data tampering and denial of service to remote code execution. Two distinct weaknesses compound each other: Git's symbolic-link handling was not disabled during repository cloning, and user-supplied identifiers - repository slug and the externalId fields for flows, tables, and connections - were concatenated into filesystem paths without sanitization of directory-traversal sequences. No public exploit code has been identified and this CVE is not listed in the CISA KEV catalog, but the patch commit makes exploitation paths derivable by any skilled attacker reviewing the open-source diff.
Code injection in remorses/genql (the @genql/cli TypeScript GraphQL client generator) before 6.3.4 lets an actor who controls the GraphQL schema fed to genql smuggle arbitrary TypeScript/JavaScript into the generated schema.ts file, which then executes when a downstream consumer bundles and imports the client. The flaw stems from GraphQL type/field descriptions containing a `*/` sequence that breaks out of the generated JSDoc comment block. There is no public exploit identified at time of analysis and it is not in CISA KEV; the issue was responsibly disclosed (issue #197) and reported by CISA (cisa-cg), with a vendor patch in 6.3.4.
Code injection in Frogman before 1.6.2 lets an authenticated PERM_WRITE caller of the MCP/HTTP dialplan API inject arbitrary Asterisk directives - including System() and Set(SHELL(...)) - into extensions_custom.conf, yielding remote command execution on the PBX host. The flaw stems from fm_dialplan_apply sanitizing only the context name while passing template parameters such as greeting, dest, url, extension, code, and file into generated dialplan text unchecked. There is no public exploit identified at time of analysis, and it is not listed in CISA KEV, but the CVSS is 9.9 and the fix (v1.6.2) plus root-cause commit are public.
Local privilege escalation to arbitrary code execution affects Lenovo App Store, a software-distribution client shipped exclusively on Lenovo devices in the Chinese market. A local authenticated user who can interact with the application can leverage its excessive privileges (CWE-250) to run arbitrary code at an elevated privilege level, with high confidentiality, integrity, and availability impact on the host. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, so no active exploitation is confirmed.
Local code execution in Lenovo App Store (Chinese-market distribution only) lets an authenticated local user abuse a path traversal weakness to write or load files outside intended directories and run arbitrary code. The flaw was self-reported by Lenovo and carries a CVSS 4.0 base score of 7.0; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. Impact is high to confidentiality, integrity, and availability of the local system, but exploitation requires existing low-privilege local access plus user interaction.
Local code execution in Lenovo Legion Zone and the Lenovo App Store (China-market Windows builds) allows an authenticated local user to run arbitrary code when either application is installed on a non-system partition. The flaw stems from insecure directory/file permissions (CWE-277) that a low-privileged user can abuse to plant or modify executable content later run with higher privilege. No public exploit is identified at time of analysis and it is not listed in CISA KEV; impact is confined to systems where these Chinese-market Lenovo utilities are deployed to a non-default drive.
Arbitrary JavaScript execution in Microsoft's @prompty/core TypeScript loader (2.0.0-alpha.1 through 2.0.0-beta.2) allows an attacker who supplies a crafted .prompty file to run code during prompt loading. The loader passed .prompty markdown to gray-matter without disabling its executable 'js'/'javascript' frontmatter engines, so a '---js' frontmatter block is evaluated as Node.js at parse time. Exploitation requires the victim's application to load the malicious file (UI:P); no public exploit is identified at time of analysis and it is not on CISA KEV, but the fix commit ships a working proof-of-concept test.
Unauthenticated remote code execution in SGLang (versions 0 through 0.5.14) arises when the expert-parallel backup subsystem binds a ZeroMQ PULL socket to a routable interface without authentication or safe deserialization, letting a network attacker send a crafted pickle payload that executes arbitrary code in the serving process. It affects deployments where the elastic expert-parallel backup feature is enabled and the socket is reachable. There is no public exploit identified at time of analysis, and it is not listed in CISA KEV.
Command injection in Microsoft Kiota before 1.32.5 lets a malicious or compromised OpenAPI description dictate the install command that Kiota presents to developers. When a developer runs `kiota info` (or the VS Code extension's `kiota info --json` dependency-install flow) against an attacker-controlled spec, Kiota reads the `x-ms-kiota-info.languagesInformation.<language>.dependencyInstallCommand` field plus attacker-chosen dependency name/version values and surfaces them as its trusted recommended install command, achieving arbitrary command execution when that command is run. No public exploit has been identified at time of analysis and it is not in CISA KEV, but the fix explicitly removes the untrusted extension field.
{...}, $var, or {$obj->prop} are emitted verbatim inside PHP double-quoted literals and interpolated as code when the generated client runs. No public exploit identified at time of analysis, though the fix commit ships a test demonstrating the ${env('HOME')} injection primitive; EPSS and KEV data were not provided.
Code injection in Microsoft Kiota's Python client generator (versions prior to 1.32.0) allows an attacker who controls an OpenAPI description to embed arbitrary Python that executes when a developer generates and imports the resulting client. The flaw stems from unsanitized x-ms-enum.values[].description strings being emitted as inline comments; embedded newlines break out of the comment and run at module scope. No public exploit identified at time of analysis, and the issue is not in CISA KEV. The assigned CVSS 3.1 base score is 7.5, though its impact metrics (C:N/I:N/A:H) understate what is functionally full code execution.
{expr}, #$var, or #@var markers are treated as live Ruby interpolation inside generated model classes. There is no public exploit identified at time of analysis and it is not in CISA KEV, but a fix is confirmed in release v1.32.0.
{}//') demonstrating the break-out.
Sandbox escape in PipeWire's PulseAudio compatibility layer lets a low-privileged process inside a confined environment such as Flatpak load an attacker-controlled library and execute arbitrary code on the host user's session. The flaw (CWE-427) is present in PipeWire as shipped in Red Hat Enterprise Linux 7, 8, 9 and 10 and carries a scope-changing CVSS 3.1 score of 8.8. There is no public exploit identified at time of analysis, and it is not listed in CISA KEV.
Root-level remote code execution in Canonical's ubuntu-pro-client (formerly ubuntu-advantage-tools) allows an attacker who can spoof or tamper with the Ubuntu Pro contract server response to inject arbitrary APT source lines and install malicious root-owned packages. The client builds /etc/apt/sources.list.d entries from the server's directives.suites[] and directives.aptURL fields via Python str.format() without escaping or newline filtering, and passes additionalPackages[] positionally into a root-run apt-get install. Because the component is preinstalled on supported Ubuntu Server releases and auto-attaches on cloud Ubuntu Pro images the exposure is broad; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Arbitrary file deletion in the Uncanny Automator WordPress plugin (all versions through 7.3.1.4) lets unauthenticated attackers delete any file on the server via untrusted PHP object deserialization in the fr_token function, and deleting a critical file such as wp-config.php can pivute WordPress into an installation/setup state that yields remote code execution. Exploitation is gated by a specific setup: a Forminator form must be connected to an Uncanny Automator recipe whose trigger is configured for 'Everyone', which is what exposes the deserialization sink to anonymous form submissions. A self-contained gadget chain via Action_Helpers_Email::__destruct() ships inside the plugin, so no external gadget library is needed; reported by Wordfence with no public exploit identified at time of analysis and no CISA KEV listing.
Missing authentication in @andrea9293/mcp-documentation-server v1.13.0 exposes its document-management Web UI/API on all network interfaces (0.0.0.0:3080) instead of localhost, letting any adjacent-network client read, add, search, and delete documents in the MCP knowledge base without credentials. Rated CVSS 8.8 (CWE-306), the flaw is exploitable by unauthenticated attackers reachable over the same LAN, VM network, Docker bridge, or VPN. A detailed proof-of-concept exists in the reporter's advisory, though there is no public exploit identified as being used in active attacks and it is not listed in CISA KEV; the vendor fixed it in v1.13.1.
Drive-by local filesystem exfiltration in FiftyOne versions below 1.17.0 allows any malicious website to silently read arbitrary files from a victim's machine. The FiftyOne App server unconditionally returns Access-Control-Allow-Origin: * on all responses, and the unauthenticated /media endpoint serves local filesystem files by path - together these let JavaScript on any visited webpage fetch files such as SSH keys, cloud credentials, or .env files from localhost:5151 and relay them to an attacker-controlled server. No public exploit (KEV or confirmed POC) is identified at time of analysis, but the attack requires no special tooling and is trivially reproducible in Safari and Firefox, which lack Private Network Access protections.
Sandbox escape with SYSTEM-level code execution in Sandboxie-Plus before 1.17.6 allows a process confined inside a sandbox to run arbitrary code in an unsandboxed host process. The privileged GuiServer service trusts attacker-supplied thread and function-pointer values from a GUI window-hook registration request and dispatches them via QueueUserAPC while running as SYSTEM, defeating the core isolation guarantee of the product. No public exploit identified at time of analysis and the flaw is not listed in CISA KEV, but the mechanism is a full sandbox-to-host escape.
Path traversal in nvm versions 0.32.1 through 0.40.5 allows a hostile Node.js mirror to overwrite arbitrary files in the victim's home directory, including shell startup files, leading to code execution on the next shell session. The vulnerability exists in `nvm ls-remote`, `nvm install --lts`, and any other nvm command that refreshes remote LTS aliases by fetching and parsing a mirror's `index.tab` - the LTS codename field is used as an alias filename without sanitization, permitting sequences like `../../../.bashrc` to escape `$NVM_DIR/alias`. No public exploit identified at time of analysis, but a working proof-of-concept is embedded in the upstream test suite added in the fix commit.
Authenticated remote code execution in 9Router before 0.5.2 lets a logged-in attacker run arbitrary OS commands on the host by chaining a Host-header spoof (to reach routes that are supposed to be localhost-only) with unsanitized MCP plugin arguments that flow into child_process.spawn() via the /api/mcp//sse endpoint. Rated CVSS 8.8 (CWE-78, OS command injection), it is fixed in 0.5.2; no public exploit or CISA KEV listing exists at time of analysis, though a vendor advisory and fix commit are published.
Remote authenticated code execution in DataEase before 2.10.23 lets a low-privileged user abuse the Excel/datasource upload workflow to run arbitrary Java. By uploading a crafted payload.zip via /datasource/upload and defining an H2 datasource that references the archive through the zip: protocol, an attacker forces CalciteProvider.jdbcFetchResultField to execute a query that triggers precompiled Java aliases embedded in test.mv.db. The vendor CVSS 4.0 vector scores this 7.1 (confidentiality-only), but the underlying primitive is full arbitrary code execution; no public exploit identified at time of analysis and it is not listed in CISA KEV.
Reflection-based remote code execution in DataEase before 2.10.23 lets an authenticated operator who can configure a Redshift datasource achieve arbitrary code execution on the server. The Redshift JDBC driver loads an attacker-controlled rsjdbc.ini from the system temp directory and honors a malicious socketFactory pointing at Spring's FileSystemXmlApplicationContext, turning a normal JDBC connection into a code-execution chain. No public exploit is identified at time of analysis and it is not in CISA KEV, but the vendor has confirmed and patched the flaw in 2.10.23.
Server-side arbitrary code execution in TDengine time-series database (versions prior to 3.4.1.15) allows a database user holding the 'create udf' privilege to upload a malicious shared library, register it as a user-defined function (e.g. named 'eval'), and execute attacker-controlled native C code on the server by invoking that function through ordinary SQL queries. This is a privileged-user code injection issue (CWE-94) with high confidentiality, integrity, and availability impact; no public exploit identified at time of analysis and it is not listed in CISA KEV. The flaw is fixed in version 3.4.1.15.
Stack-based buffer overflow in TDengine (open-source IoT time-series database) versions 3.4.1.6 and earlier allows an authenticated user to trigger a one-byte out-of-bounds write by submitting SQL containing crafted escape sequences (\%, \_, or \x), leading to denial of service and potentially remote code execution. The flaw sits in the SQL parser's trimString() routine, which validates only a single byte of remaining space in the tmpTokenBuf stack buffer before writing escape-processed data. There is no public exploit identified at time of analysis, and the issue is not listed in CISA KEV; it is fixed in version 3.4.1.14.
Remote code execution in Cherry Studio 1.2.2 through 1.9.12 lets attackers who control search-provider content run arbitrary Node.js code because the SearchService loads that content into an Electron BrowserWindow with nodeIntegration enabled and contextIsolation disabled. An attacker controlling a search engine provider, search result page, or provider settings page can execute JavaScript with full Node.js privileges under the OS account running the app. Publicly available exploit code exists (VulnCheck/Mundi-Xu gist) and a vendor patch (commit 1518530) is available; the flaw is not currently listed in CISA KEV.
Authenticated remote code execution in LangBot (pip package 'langbot', versions <= 4.10.5) allows any logged-in user to run arbitrary OS commands on the host by registering a malicious 'STDIO' MCP server through the Extensions > MCP configuration UI. Because LangBot passes the user-supplied command straight to the MCP SDK's StdioServerParameters, which spawns it as a subprocess, an attacker who signs up or uses stolen credentials gains full host takeover. A step-by-step and video proof-of-concept is public (publicly available exploit code exists), though there is no confirmed active exploitation.
Out-of-bounds write in the Zephyr RTOS ADIN2111/ADIN1110 single-pair Ethernet driver (eth_adin2111.c) lets an attacker on the same 10BASE-T1S/T1L segment corrupt kernel memory by sending an oversized frame in OPEN Alliance SPI mode. Because per-chunk length and chunk count (up to 255) come straight off the wire with no bounds check on the reassembly cursor, the RX offload thread writes attacker-controlled bytes-up to ~14.8 KB-past the fixed 1524-byte static buffer, enabling denial of service and potentially remote code execution. There is no public exploit identified at time of analysis; the flaw was introduced in commit 0ca8b0756b1 and shipped in v3.7.0 through v4.4.0.
Remote code execution in PyTorch Lightning through 2.6.5 allows an attacker who can get a victim to load a malicious checkpoint file to execute arbitrary code. The flaw lives in the _load_state routine, which imports and calls the module path named in a checkpoint's _instantiator hyperparameter, letting a crafted .ckpt bypass torch's weights_only=True safeguard when LightningModule.load_from_checkpoint is invoked. Reported by VulnCheck, it is fixed in commit d710d68 (PR #21832) via an instantiator allowlist, and publicly available exploit code exists though it is not listed in CISA KEV.
Authenticated remote code execution in MantisBT versions 1.3.0 through 2.28.3 allows an administrator to run arbitrary PHP as the web server user (www-data) via the 'Manage Configuration' page (adm_config_set.php). When a config value is stored with a non-string type, the ConfigParser/Tokenizer path calls eval() on attacker-controlled code guarded only by a 'return;' prefix; because PHP hoists class and function declarations at compile time regardless of the return, an attacker can plant a class that later hijacks the autoloader. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; the flaw was reported privately by watchTowr and fixed in 2.28.4.
Remote code execution in Metabase (open-source business intelligence platform) versions 1.54.0 through the fixed releases lets a user holding database-connection management rights run arbitrary code on the Metabase server. By pointing a Snowflake connection at an attacker-controlled server, a flaw in the bundled Snowflake JDBC driver writes attacker files anywhere on the host, overwriting one of Metabase's own driver files that later executes inside the Metabase process. There is no public exploit identified at time of analysis, but the vendor rates it CVSS 10.0 and a vendor security advisory (GHSA-r6x2-rchx-q9g9) confirms both the flaw and fixed versions.
Command injection in Tabby (formerly Terminus) terminal emulator before 1.0.234 lets an attacker achieve code execution by tricking a victim into dragging and dropping a crafted file whose path contains shell command-substitution metacharacters ($(...) or backticks). Because the drop handler in tabby-electron/src/pathDrop.ts inserted the raw path into the active shell without neutralizing these characters, the payload runs when the victim presses Enter. This is an incomplete-fix follow-up to CVE-2026-45038, which only addressed control characters; no public exploit is identified at time of analysis and it is not listed in CISA KEV.
Heap buffer overflow in NGINX Plus and NGINX Open Source lets unauthenticated remote attackers crash worker processes (DoS) and, on hosts with ASLR disabled or bypassed, potentially execute arbitrary code by sending crafted HTTP requests. The flaw is a data-plane-only issue triggered when a regex-based map directive references the map's regex capture variables before the map output variable in a string expression, or via a non-cacheable variable under certain conditions. F5 has released a patched version; no public exploit identified at time of analysis and it is not listed in CISA KEV.
Server-side request forgery leading to code execution in Cursor's browser-enabled Cloud Agent lets attacker-controlled web content reach an unauthenticated local agent endpoint from inside the sandbox, compromising the session. Affecting Cursor Cloud Agent sessions prior to the 03/31/2026 fix, an attacker who gets a browsing agent to load malicious content can run code in the sandbox and read repository contents, environment variables, credentials, and GitHub App access tokens scoped to that session. No public exploit identified at time of analysis, and it is not listed in CISA KEV; the flaw is a missing-authentication (CWE-306) authentication-bypass class issue with high confidentiality, integrity, and availability impact to the affected session.
Remote code execution in the Grav API plugin (getgrav/grav-plugin-api) before 1.0.3 is achievable by authenticated API users holding the api.media.write permission via a double-extension file upload bypass. The HandlesMediaUploads::validateFileExtension() method uses PHP's pathinfo() to inspect only the final file extension, meaning a file named shell.php.jpg passes the dangerous-extension blocklist while retaining a .php segment that certain web server configurations will execute as PHP. No public exploit code or CISA KEV listing has been identified at time of analysis, but the technique is well-understood and exploitation is low-complexity once permission prerequisites are met.
Arbitrary code execution in PraisonAI (praisonaiagents) before 1.6.78 lets an attacker who can drop a Python file into a plugin directory run their own code. The plugin manager auto-discovers and executes any .py file found in project-level or user-home .praisonai/plugins/ directories at initialization, with no code signing, integrity checks, or sandboxing. VulnCheck reported it under CWE-94; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Path-traversal remote code execution in PraisonAI (mervinpraison/praisonai) before 1.6.78 lets an authenticated agent user abuse SkillTools.run_skill_script(), which executes skill scripts without validating that the supplied path stays inside the intended working directory. Because absolute file paths are accepted, a low-privileged attacker can point the skill runner at any executable script on the host and run it. No public exploit code has been identified and it is not in CISA KEV, but the flaw was reported by VulnCheck and a GitHub Security Advisory (GHSA-c44f-37qr-gw3f) confirms the fix.
OS command execution in PraisonAI before 4.6.78 lets an attacker who can supply a workflow definition escape the inline-Python sandbox and run arbitrary shell commands with the privileges of the agent process. The flaw lives in JobWorkflowExecutor._exec_inline_python(), whose AST-based validation fails to reject `import os` followed by `os.system()`, turning a malicious YAML workflow file into RCE. No public exploit code or CISA KEV listing is identified at time of analysis, though the bypass technique is described in detail in the vendor advisory.
Code injection in PraisonAI before 4.6.78 lets attackers who control deployment configuration achieve arbitrary Python execution because the API-server deployment generator fails to safely encode the deploy.api.host and agents_file values before emitting them into generated Python source (CWE-94). Injected expressions run when the generated API server starts or handles requests, yielding full code execution in the server process. No public exploit is identified at time of analysis; the flaw was reported by VulnCheck and a vendor patch is available.
Stored server-side template injection in Grav's bundled Flex Objects plugin (getgrav/grav-plugin-flex-objects) before 1.4.0 lets a low-privileged content author inject Twig code through the dynamic collection/object title frontmatter, which is passed unsanitized to template_from_string() and executed. Because the title path bypasses Grav's Security::cleanDangerousTwig() filter, an attacker can reach internal Grav services such as the scheduler and escalate arbitrary Twig evaluation to full remote command execution. Reported by VulnCheck with a CVSS 4.0 base score of 8.7 (High); no public exploit identified at time of analysis and it is not listed in CISA KEV.
Remote code execution in Open WebUI (self-hosted LLM interface) before the fixed 0.3.33 release allows attackers to hijack an authenticated admin session through a CORS misconfiguration. When an instance is deployed with allow_origins=* and an authenticated admin visits an attacker-controlled website, the malicious page can issue authenticated cross-origin requests to the /api/v1/functions endpoint and register attacker-supplied Python code, achieving code execution - and because the container runs as root by default, full container compromise. There is no public exploit identified at time of analysis and it is not on CISA KEV, but the flaw is documented in a GitHub Security Lab advisory (GHSL-2024-174/175) and reported by VulnCheck.
Unauthenticated file upload to the WordPress Media Library is possible in Kali Forms - Contact Form & Drag-and-Drop Builder versions before 2.4.17, because the plugin's upload handler accepts file submissions without verifying that a corresponding form with a file-upload field actually exists on the site. Any unauthenticated remote attacker can directly invoke the upload endpoint and deposit files into the Media Library. Impact is bounded by WordPress's core MIME type allowlist, which prevents upload of executable files and thereby rules out code execution; a publicly available proof-of-concept is confirmed by WPScan, and no CISA KEV listing is present at time of analysis.
Arbitrary code execution in the HYPER SBI 2 installer (SBI Securities' online trading application) allows a local attacker to run code with the invoking user's privileges by planting a crafted DLL in the installer's directory. The flaw stems from insecure DLL search-path loading (CWE-427) and requires the victim to launch the installer from an attacker-influenced folder. No public exploit has been identified at time of analysis; the issue was reported by JPCERT/CC and published via JVN.
Remote code execution in xszyou Fay 4.3.1 lets an unauthenticated remote attacker reach the publicly exposed MCP (Model Context Protocol) management interface and register an MCP STDIO server with attacker-chosen commands, which the service then executes on the host. The CVSS 3.1 base score is 9.8 (AV:N/AC:L/PR:N/UI:N) reflecting network-reachable, no-authentication, low-complexity exploitation. There is no public exploit identified at time of analysis; EPSS is modest at 0.61% (45th percentile), and this CVE is part of a broader MCP-ecosystem supply-chain advisory published by ox.security.
Command injection in LiteLLM 1.18.10 lets attackers who can configure MCP (Model Context Protocol) servers supply arbitrary `command` and `args` values in the server-creation JSON, which LiteLLM passes to the host OS without validation, yielding remote code execution as the LiteLLM process. The flaw is part of the broader MCP-stdio supply-chain advisory disclosed by ox.security across the AI ecosystem and is documented in LiteLLM's own April 2026 advisory. No public exploit is identified in the provided data, and EPSS is low (0.32%, 24th percentile), so widespread automated exploitation is not currently indicated despite the CVSS 9.8 rating.
Reflected Cross-Site Scripting in xxl-job-admin v.3.0.0 allows a remote unauthenticated attacker to execute arbitrary JavaScript in a victim's browser by tricking an authenticated user into clicking a crafted HTTP GET request containing an unsanitized malicious script payload. The vulnerability carries a CVSS 3.1 score of 6.1 with Scope Changed, indicating the injected script can affect browser-level resources beyond the immediate application context, enabling session hijacking, credential theft, or redirection against admin-level users. No public exploit identified at time of analysis in CISA KEV, though a public PoC repository exists and the EPSS score sits at the 31st percentile, indicating modest but non-trivial exploitation interest.
Heap out-of-bounds read/write in OpenHTJ2K (High-Throughput JPEG 2000 reference codec) v0.18.4 and earlier lets an attacker corrupt heap memory by supplying a crafted J2K/JP2 codestream, with a confirmed heap information-leak primitive and vendor-claimed arbitrary code execution. The flaw is reached through every decoder entry point (invoke, invoke_line_based, invoke_line_based_stream, invoke_line_based_predecoded) and, notably, through a JPIP server's startup codestream load, making it network-reachable without user interaction. There is no public exploit identified at time of analysis, though the vendor changelog references non-public PoC files, and the issue is not listed in CISA KEV.
Buffer Overflow vulnerability in OpenHTJ2K v.0.18.4 and before allows an attacker to execute arbitrary code via the j2k_precinct_subband::parse_packet_header() in source/core/coding/coding_units.cpp
Pi-hole is a DNS sinkhole that protects devices from unwanted content without installing any client-side software. From 6.0 to 6.4.2, a user with code execution as the unprivileged pihole user can escalate to root by replacing /etc/pihole/logrotate. The replacement is laundered to root:root ownership by pihole-FTL-prestart.sh and then parsed as root by the daily pihole flush cron, executing firstaction shell as uid 0. This issue is fixed in version 6.4.3.
Illustrator is affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Illustrator is affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Illustrator is affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Illustrator is affected by an Improper Input Validation vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. Scope is changed.
CAI Content Credentials is affected by a Server-Side Request Forgery (SSRF) vulnerability that could result in arbitrary code execution in the context of the current user. An attacker could exploit this vulnerability to inject malicious scripts into a web page, potentially gaining elevated access or control over the victim's account or session. Exploitation of this issue requires user interaction in that a victim must visit a maliciously crafted URL or interact with a compromised web page. Scope is changed.
CAI Content Credentials is affected by an Untrusted Search Path vulnerability that could result in arbitrary code execution in the context of the current user. Exploit depends on conditions beyond the attacker's control. Exploitation of this issue requires user interaction in that a victim must visit a maliciously crafted URL or interact with a compromised web page. Scope is changed.
Illustrator is affected by an Untrusted Search Path vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. Scope is changed.
jadx is a Dex to Java decompiler. Prior to 1.5.6, jadx inserts the android:versionName value from an AndroidManifest into the generated app/build.gradle Groovy template without proper sanitization when exporting a decompiled APK as an Android Gradle project. A malicious APK can break out of the string context so that opening or building the exported Gradle project executes attacker-controlled Groovy code on the victim machine. This issue is fixed in version 1.5.6.
Remote code execution in Aetopia Digital Asset Management (DAM) v1.0.0 is achievable through a server-side template injection flaw: attacker-controlled input in the 'name' and 'description' parameters of the Add/Update Project function is evaluated by the server-side template engine, letting an attacker run arbitrary code on the host. NVD scores this CVSS 9.8 (network, low complexity, no privileges required), and a public researcher writeup detailing the SSTI exists on the eslam3kl GitBook; however, there is no public exploit identified as weaponized code and it is not listed in CISA KEV, so it is not confirmed as actively exploited. Note the CVSS PR:N rating conflicts with the fact that Add/Update Project is normally an authenticated application feature.
Arbitrary code execution in andreimarcu linx-server (a self-hosted file/media sharing service) versions 1.0 through 2.3.8 can be triggered by a remote attacker abusing a Cross-Site Request Forgery flaw in the uploadPutHandler function, per NVD and MITRE. Because the upload endpoint lacks anti-CSRF protection, an attacker can forge upload requests that ride an authenticated victim's session to achieve code execution. No public exploit has been identified in the provided data, though a third-party vulnerability report is referenced; the flaw is not listed in CISA KEV and no EPSS score was supplied.
Arbitrary code execution in Adobe ColdFusion allows an attacker with low-privileged access on an adjacent network to bypass authorization controls (CWE-863) and run code in the context of the current user, with a scope change that lets the impact extend beyond the vulnerable component. Adobe PSIRT reported the flaw and published advisory APSB26-82; it is tagged as RCE and authentication bypass with a CVSS 3.1 base score of 9.0. No public exploit identified at time of analysis and it is not listed in CISA KEV, but the incorrect-authorization-to-RCE pattern in ColdFusion has historically drawn rapid attacker interest.
Missing authentication in Adobe ColdFusion allows an unauthenticated attacker on an adjacent network to trigger arbitrary code execution in the context of the current user, without any user interaction. The flaw (CWE-306) bypasses authentication on a critical function and carries a scope change, meaning the impact reaches beyond the vulnerable component. There is no public exploit identified at time of analysis, but the issue was reported by Adobe PSIRT and addressed in advisory APSB26-82.
SQL injection in Adobe ColdFusion 2023 (through Update 21) and ColdFusion 2025 (through Update 10) allows an authenticated attacker to inject crafted SQL and achieve arbitrary code execution in the context of the current user without any user interaction. The flaw carries a critical 9.9 CVSS with a changed scope, meaning impact extends beyond the vulnerable component. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the total technical impact and low attack complexity make it a high-priority patch for internet-facing ColdFusion servers.
Code injection (CWE-94) in Adobe ColdFusion 2023 (Update 21 and earlier) and ColdFusion 2025 (Update 10 and earlier) allows a low-privileged, network-adjacent attacker to execute arbitrary code in the context of the current user without any user interaction. Because the CVSS scope is changed, successful exploitation can extend impact beyond the vulnerable component to the underlying host. There is no public exploit identified at time of analysis and the EPSS probability is low (0.43%, 35th percentile), but the near-maximum CVSS of 9.9 and Adobe's own PSIRT reporting make this a high-priority patch.
Arbitrary code execution in Adobe ColdFusion 2023 (through Update 21) and ColdFusion 2025 (through Update 10) is possible through a path traversal weakness that a low-privileged remote attacker can trigger without user interaction to run code in the context of the current user. The CVSS 9.9 rating reflects a scope change (S:C), meaning impact reaches beyond the vulnerable component. No public exploit is identified at time of analysis, and CISA SSVC currently records exploitation as none, though ColdFusion is a historically heavily targeted product.
Arbitrary code execution in Adobe ColdFusion 2023 and 2025 allows an attacker with low privileges to run code in the context of the current user without any user interaction, per Adobe advisory APSB26-82 (CVSS 9.9, scope-changed). The flaw stems from improper input validation (CWE-20) and carries a total technical impact per CISA SSVC. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, though the EPSS score of 2.17% sits in the 80th percentile.
Arbitrary code execution in Adobe Bridge allows an attacker to run code in the context of the current user by tricking a victim into opening a maliciously crafted file that triggers an untrusted pointer dereference (CWE-822). The flaw is local and file-based, requiring user interaction; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. Exploitation yields full impact on confidentiality, integrity, and availability limited to the privileges of the user running Bridge.
Arbitrary code execution in Adobe Bridge is possible through an out-of-bounds write (CWE-787) triggered when a victim opens a maliciously crafted file, running attacker code in the context of the current user. All versions covered by Adobe advisory APSB26-81 are affected, and while there is no public exploit identified at time of analysis, the local user-interaction attack pattern is consistent with weaponized document/asset lures. The CVSS 7.8 (High) rating reflects full confidentiality, integrity, and availability impact once a victim is socially engineered into opening the file.
Arbitrary code execution in Adobe Bridge is possible when a victim opens a maliciously crafted file that triggers a heap-based buffer overflow (CWE-122), letting an attacker run code in the context of the current user. The flaw was reported by Adobe and disclosed in advisory APSB26-81; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. Exploitation is file-borne and requires user interaction, so it is not remotely triggerable without a user opening attacker-supplied content.
Arbitrary code execution in Adobe Bridge results from an out-of-bounds write (CWE-787) that a victim triggers by opening a malicious file, running attacker-supplied code with the privileges of the current user. The flaw is local (AV:L) and requires user interaction, so it is a client-side, file-borne bug rather than a remotely reachable service vulnerability. No public exploit identified at time of analysis and it is not listed in CISA KEV; Adobe patched it in advisory APSB26-81.
Arbitrary code execution in Adobe Bridge arises from an integer overflow (CWE-190) triggered when a victim opens a maliciously crafted file, allowing an attacker to run code in the context of the current user. The flaw is local and requires user interaction, carrying a CVSS 7.8 (High) score. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Arbitrary code execution in Adobe Bridge is possible when a victim opens a maliciously crafted file, triggering an out-of-bounds write (CWE-787) that executes attacker-controlled code in the context of the current user. The flaw affects Adobe Bridge as reported by Adobe (advisory APSB26-81) and is rated CVSS 7.8; no public exploit identified at time of analysis and it is not listed in CISA KEV. Exploitation is local and hinges entirely on user interaction - the victim must open the malicious file.
Local arbitrary code execution in Adobe Creative Cloud Desktop lets a low-privileged user run code in the context of the current user by exploiting an uncontrolled search path (CWE-427) — the class of flaw where an application loads a library or executable from an attacker-influenced directory. Adobe (CVE-2026-48272) rates it CVSS 7.8, but the vector is local with high attack complexity and requires existing low-level privileges, and exploitation depends on conditions beyond the attacker's control. No public exploit identified at time of analysis and it is not listed in CISA KEV, so this is a defense-in-depth patch rather than an emergency.
Local privilege escalation to arbitrary code execution affects the Adobe Creative Cloud Desktop application through a Time-of-check Time-of-use (TOCTOU) race condition, letting a low-privileged local attacker execute code and - because the CVSS scope is changed - impact resources beyond the initial security context. No user interaction is required, but the race is hard to win: exploitation depends on conditions beyond the attacker's control, reflected in the high attack complexity. At time of analysis there is no public exploit identified and the issue is not listed in CISA KEV.
Code execution in NVIDIA TensorRT is possible when the SDK processes a maliciously crafted input that overflows a heap-based buffer (CWE-122), corrupting adjacent heap memory. The flaw affects the TensorRT deep-learning inference library and requires a local user to load attacker-supplied content, per the AV:L/UI:R CVSS vector; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. Successful exploitation yields full loss of confidentiality, integrity, and availability (C:H/I:H/A:H) in the context of the process running the inference job.
Local code execution in NVIDIA TensorRT is possible when the library parses an attacker-supplied input (such as a crafted model/engine file), triggering a heap-based buffer overflow (CWE-122) that can corrupt memory and lead to arbitrary code execution in the context of the process using TensorRT. The CVSS 3.1 vector (AV:L/UI:R) indicates the attacker needs local access and must induce a user or application to load malicious content, and there is no public exploit identified at time of analysis. TensorRT is NVIDIA's deep-learning inference SDK, so the affected population is developers, MLOps pipelines, and inference servers that load third-party or untrusted models.
Improper array index validation (CWE-129) in NVIDIA TensorRT allows an attacker to trigger out-of-bounds memory access that may lead to arbitrary code execution when a victim processes malicious input on the local host. The CVSS 3.1 vector (AV:L/UI:R) indicates the target must actively load attacker-controlled content, so exploitation hinges on tricking a user or automated pipeline into ingesting a crafted model or input file. There is no public exploit identified at time of analysis and the CVE is not in CISA KEV, but with high confidentiality, integrity, and availability impact this is a meaningful priority for AI/ML inference environments.
NVIDIA TensorRT for contains a vulnerability where a user might cause a deserialization of untrusted data. A successful exploit of this vulnerability might lead to code execution.
Inappropriate implementation in V8 in Google Chrome prior to 150.0.7871.125 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Heap buffer overflow in libyuv in Google Chrome on Windows prior to 150.0.7871.125 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted video file. (Chromium security severity: High)
Arbitrary code execution in Adobe After Effects arises from an out-of-bounds write (CWE-787) that runs in the context of the current user when a victim opens a maliciously crafted project or media file. Adobe (via advisory APSB26-78) confirms the flaw; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. The 7.8 CVSS reflects high impact tempered by the local vector and required user interaction.
Arbitrary code execution in Adobe After Effects arises from an out-of-bounds write (CWE-787) triggered when a victim opens a maliciously crafted project or media file, running attacker code with the privileges of the current user. Adobe self-reported the flaw in advisory APSB26-78; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. The CVSS 7.8 (High) rating reflects high confidentiality, integrity, and availability impact but is gated by required user interaction and local file delivery.
NVIDIA TensorRT-LLM for Linux contains a vulnerability where an attacker could cause improper control of code generation. A successful exploit of this vulnerability might lead to code execution, data tampering, and information disclosure.
NVIDIA TensorRT-LLM for Linux contains a vulnerability where an attacker could cause missing authentication for a critical function. A successful exploit of this vulnerability might lead to code execution, data tampering, and information disclosure.
Sensitive CA key exposure in forgekeep/nebula-mesh (<= 0.3.7) leaves the decrypted ed25519 CA signing key resident on the Go heap after web-UI mobile-bundle requests, because mobilebundle.Build never calls CAManager.Wipe() on any return path. An attacker who can read the process's memory (core dump, swap, or memory scraping) can recover the plaintext CA key and mint arbitrary host certificates for the mesh. There is no public exploit identified at time of analysis, this is not in CISA KEV, and no CVSS or EPSS score was supplied; the vendor 'RCE' tag overstates the direct impact, which is confidential-key disclosure rather than code execution.
NVIDIA TensorRT-LLM for any platform contains a vulnerability in visual gen server, where an attacker could cause an unsafe deserialization by unauthorized zeroMQ deserialization. A successful exploit of this vulnerability might lead to code execution.
Arbitrary code execution in Adobe Premiere Pro is possible via a heap-based buffer overflow (CWE-122) triggered when a victim opens a maliciously crafted project or media file, running attacker code in the context of the current user. The flaw is local and requires user interaction, with no public exploit identified at time of analysis; Adobe self-reported it in advisory APSB26-76. CVSS 7.8 reflects high confidentiality, integrity, and availability impact but a local attack vector gated by the user opening a malicious file.
Quick Facts
- Typical Severity
- CRITICAL
- Category
- other
- Total CVEs
- 31864